b'Office of Audits\nReport No. AUD-11-014\n\n\nThe FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x942011\n\n\n\n\n                           September 2011\n\x0c                                    Executive Summary\n\n\n                                    The FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x942011\n\n                                                                                     Report No. AUD-11-014\n                                                                                            September 2011\n\nWhy We Did The Audit\n\nThe FDIC Office of Inspector General (OIG) engaged the independent professional services firm of\nKPMG LLP (KPMG) to conduct an audit of the FDIC\xe2\x80\x99s privacy program. The objective of the audit was\nto assess the FDIC\xe2\x80\x99s privacy program and practices. The scope of the audit focused on the FDIC\xe2\x80\x99s\nprocesses for conducting and publicly posting Privacy Impact Assessments (PIA) and System of Records\nNotices (SORN) for information systems and collections of records that contain Personally Identifiable\nInformation (PII). Specifically, KPMG\xe2\x80\x99s work focused on assessing the FDIC\xe2\x80\x99s compliance with the\nfollowing:\n\n    \xef\x82\xb7   Section 208 of the E-Government Act of 2002 (Section 208) as it relates to performing PIAs;\n    \xef\x82\xb7   Provisions of the Privacy Act of 1974 (Privacy Act) related to SORNs and privacy policy\n        disclosures;\n    \xef\x82\xb7   Requirements of Section 522 of Division H of the Consolidated Appropriations Act, 2005, as\n        amended, for establishing a privacy program and supporting privacy policies; and\n    \xef\x82\xb7   Related privacy guidance established by the Office of Management and Budget (OMB) for\n        SORNs and PIAs.\n\nAs part of the audit, KPMG selected a non-statistical sample of six collections of PII to assess whether the\nFDIC had conducted and publically posted the associated PIAs and SORNs consistent with relevant\nFederal privacy-related provisions in Section 208, the Privacy Act, and OMB guidance. In addition,\nKPMG selected two SORNs published by the FDIC in the Federal Register to determine whether the\nSORNs (a) had been approved by the FDIC\xe2\x80\x99s Board of Directors, (b) were published in the Federal\nRegister at least 30 days prior to the collection and use of PII, and (c) satisfied the content requirements\ndefined in the Privacy Act.\n\nBackground\n\nIn fulfilling its legislative mandate of insuring deposits, supervising financial institutions, and managing\nreceiverships, and in its role as a Federal employer and acquirer of services, the FDIC creates and\nacquires a significant amount of PII (e.g., names, Social Security numbers, or biometric records) related\nto depositors and borrowers at FDIC-insured financial institutions and FDIC employees and contractors.\nImplementing proper security controls over this PII is critical to mitigating the risk of an unauthorized\ndisclosure that could lead to identity theft, consumer fraud, and potential legal liability or public\nembarrassment for the Corporation.\n\nA number of Federal statutes establish requirements associated with analyzing how PII is handled, such as\nperforming PIAs and making public notifications regarding completed PIAs and the categories of PII\ncollected, maintained, retrieved, and used. A PIA is a process for (1) examining the risks and\nramifications of using information technology to collect, maintain, and disseminate PII from or about\nmembers of the public and (2) identifying and evaluating protections and alternative processes to mitigate\nthe impact to privacy of collecting such information. The public notification regarding completed PIAs\nand the categories of PII collected, maintained, retrieved, and used by the agency is referred to as a\nSORN.\n\x0c                                     The FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x942011\n   Executive Summary\n\n                                                                                     Report No. AUD-11-014\n                                                                                            September 2011\n\nSection 522 established the requirement that Federal agencies implement formal privacy programs. The\nstatute requires agency Chief Privacy Officers (CPO) to have primary responsibility for the agency\xe2\x80\x99s\nprivacy and data protection policy. As part of that responsibility, the CPO must assure the agency\xe2\x80\x99s use\nof technology sustains privacy protections. The CPO must also prepare an annual report to the Congress\non the activities that affect privacy, including complaints of privacy violations, and implementation of\nrelated internal controls.\n\nAudit Results\n\nKPMG concluded that, except as noted below, the FDIC\xe2\x80\x99s privacy program and practices for processing\nPIAs and SORNs were compliant with selected provisions of Section 522, Section 208, the Privacy Act,\nand OMB guidance. Among other things, the FDIC had appointed a CPO with overall responsibility for\nthe FDIC\xe2\x80\x99s privacy program and submitted annual privacy reports to OMB and the Congress as required\nby Section 522. Consistent with Section 208 and Privacy Act requirements, the FDIC had established\nprocesses for preparing PIAs and SORNs and making them publicly available and posted its privacy\npolicies on the FDIC\xe2\x80\x99s public Web site. In addition, PIAs for five of the six PII collections sampled\ncontained the required information regarding the FDIC\xe2\x80\x99s collection and use of PII. The one exception is\ndescribed below. Moreover, the two SORNs that KPMG sampled had been properly approved by FDIC\nmanagement, published in the Federal Register, and addressed the content requirements of the Privacy\nAct. Further, the FDIC included the required legal disclosures, referred to as a Privacy Act Statement, on\nall sampled forms that collect PII from the public in accordance with the Privacy Act.\n\nWhile the above results are positive, KPMG also found that for three of the six PII collections sampled,\nthe PIAs were not made available to the public until after the FDIC began collecting the PII.\nAdditionally, the PIA covering one of the six sampled PII collections did not fully describe (a) what\ninformation was being collected, (b) the purpose of the collection, or (c) how the information was\nsecured.\n\nRecommendations and Management Comments\n\nThe report includes three recommendations intended to strengthen the Corporation\xe2\x80\x99s privacy program\npractices pertaining to PIAs and SORNs. Specifically, the report recommends that the CPO issue a\ncorporate-wide policy requiring PIAs to be completed before collecting, maintaining, or disseminating\nPII. The report also recommends that the FDIC develop strategies for (1) elevating and reporting\ninstances of non-compliance with privacy-related requirements to appropriate senior management\nofficials who are in a position to ensure they are promptly and effectively resolved and (2) identifying and\naddressing instances of new PII collections that occur outside of the traditional systems development\nlifecycle that might require a PIA.\n\nOn September 12, 2011, the FDIC\xe2\x80\x99s Chief Information Officer (CIO), who also serves as the Director,\nDivision of Information Technology, and CPO, provided a written response to a draft of this report. In\nthe response, the CIO concurred with all three recommendations and described planned corrective actions\nthat are responsive to the recommendations.\n\x0cFederal Deposit Insurance Corporation                                                                Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                 Office of Inspector General\n\n\nDATE:                                     September 23, 2011\n\nMEMORANDUM TO:                            Russell G. Pittman, Chief Information Officer,\n                                          Director, Division of Information Technology, and\n                                          Chief Privacy Officer\n\n\n                                          /Signed/\nFROM:                                     Mark F. Mulholland\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  The FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x942011\n                                          (Report No. AUD-11-014)\n\n\nThe subject final report is provided for your information and use. The FDIC Office of\nInspector General (OIG) contracted with the independent professional services firm of KPMG\nLLP (KPMG) to perform the work. Please refer to the Executive Summary, included in the\nreport, for the overall audit results. Our evaluation of your response is incorporated into the\nbody of the report. Your comments on a draft of this report were sufficient to resolve the\nrecommendations.\n\nConsistent with the OIG\xe2\x80\x99s new approach to the Corrective Action Closure (CAC) process, the\nOIG plans to limit its review of CAC documentation to those recommendations that we\ndetermine to be particularly significant. Such determinations will be made when the Office of\nEnterprise Risk Management (OERM) advises us that corrective action for a recommendation\nhas been completed. Recommendations deemed to be significant will remain open in the\nOIG\xe2\x80\x99s System for Tracking and Reporting (STAR) until we determine that corrective actions\nare responsive. All other recommendations will be closed in STAR upon notification by\nOERM that corrective action is complete, but remain subject to follow-up at a later date.\n\nIf you have questions concerning the report, please contact me at (703) 562-6316 or Daniel\nCraven at (703) 562-6317. We appreciate the courtesies extended to the KPMG staff and OIG\naudit staff.\n\nAttachment\n\ncc:        James H. Angel, Jr., Director, OERM\n           Bret D. Edwards, Director, DRR\n           Gary Jackson, Legal Division\n           Ned Goldberg, DIT\n           Rack Campbell, DIT\n           Steven B. Lott, DIT\n\x0c                                Contents\n\n\n\n\nPart I\n\n   Report by KPMG LLP                                        I-1\n   The FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x942011\n\nPart II\n\n   Management\xe2\x80\x99s Comments and OIG Evaluation                  II-1\n\n   Management\xe2\x80\x99s Comments                                     II-2\n\n   Summary of Management\xe2\x80\x99s Comments on the Recommendations   II-4\n\x0c      Part I\n\nReport by KPMG LLP\n\x0cAudit of the FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x932011\n\n\n\nPrepared for the\nFederal Deposit Insurance Corporation\nOffice of Inspector General\nSeptember 19, 2011\n\n\n\n\nKPMG LLP\n2001 M Street, NW\nWashington, DC 2003\n\x0c                                                        TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY ......................................................................................................................I-3\nBACKGROUND .......................................................................................................................................I-6\n   WHAT IS PRIVACY?................................................................................................................................. I-6\n   PRIVACY INFORMATION AT THE FDIC ................................................................................................... I-6\n   CHARACTERISTICS OF A PRIVACY PROGRAM ......................................................................................... I-7\n   FEDERAL REQUIREMENTS FOR PRIVACY PROGRAMS ............................................................................. I-7\n   FDIC\xe2\x80\x99S PRIVACY PROGRAM AND CHIEF PRIVACY OFFICER ROLES AND RESPONSIBILITIES................. I-7\nRESULTS OF AUDIT .............................................................................................................................I-8\n   SECTION 522 \xe2\x80\x93 CHIEF PRIVACY OFFICER, POLICIES, AND PROCEDURES ............................................... I-8\n   SECTION 208 \xe2\x80\x93 PRIVACY IMPACT ASSESSMENTS ................................................................................... I-9\n   PRIVACY ACT - SYSTEM OF RECORDS NOTICES ................................................................................... I-16\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY ....................................................I-17\n   OBJECTIVE ............................................................................................................................................ I-17\n   SCOPE ................................................................................................................................................... I-17\n   METHODOLOGY .................................................................................................................................... I-18\nAPPENDIX II \xe2\x80\x93 SIGNIFICANT CRITERIA ......................................................................................I-19\n   APPLICABLE STATUTORY PRIVACY CRITERIA ..................................................................................... I-19\n   APPLICABLE PRIVACY-RELATED OMB GUIDANCE ............................................................................. I-20\n   APPLICABLE FDIC POLICY REGARDING PRIVACY ............................................................................... I-20\n   OTHER RELEVANT PRIVACY GUIDANCE .............................................................................................. I-21\nAPPENDIX III \xe2\x80\x93 LIST OF ACRONYMS ............................................................................................I-22\nAPPENDIX IV \xe2\x80\x93 GLOSSARY OF TERMS ........................................................................................I-23\n\n\n\n\n                                                                           I-2\n\x0c                                      KPMG LLP\n                                      2001 M Street, NW\n                                      Washington, DC 20036-3389\n\n\nEXECUTIVE SUMMARY\n\nHonorable Jon T. Rymer\nInspector General\nFederal Deposit Insurance Corporation\n3501 N. Fairfax Drive\nArlington, VA 22226\n\n\nRe: Transmittal of Results for the Audit of the FDIC\xe2\x80\x99s Privacy Program\xe2\x80\x932011\n\nDear Mr. Rymer:\n\nThis report presents the results of our independent audit of the Federal Deposit Insurance\nCorporation\xe2\x80\x99s (FDIC) privacy program and practices. This performance audit is intended, in part, to\nmeet the requirements established by Section 522 of Division H of the Consolidated Appropriations\nAct, 2005, as amended and now re-codified to 42 United States Code (U.S.C.) \xc2\xa7 2000ee-2 (Section\n522). The audit objective was to assess the FDIC\xe2\x80\x99s privacy program and practices. The scope of the\naudit focused on the FDIC\xe2\x80\x99s processes for conducting and publicly posting Privacy Impact\nAssessments (PIA) and System of Records Notices (SORN) for information systems and collections of\nrecords that contain Personally Identifiable Information (PII).1 Specifically, the audit included an\nassessment of the FDIC\xe2\x80\x99s compliance with the following:\n\n    (a) Section 208 of the E-Government Act of 2002 (Section 208)2 as it relates to performing PIAs,\n    (b) Provisions of the Privacy Act of 1974 (Privacy Act) related to SORNs and privacy policy\n        disclosures,\n    (c) Section 522 requirements for establishing a privacy program and supporting privacy policies,\n        and\n    (d) Relevant privacy guidance established by OMB for SORNs and PIAs.\n\nOur audit included a non-statistical3 selection of six collections of PII pertaining to business processes\nwithin the Division of Resolutions and Receiverships (DRR). Within the FDIC, DRR has primary\nresponsibility for planning and efficiently handling the resolution of failing financial institutions,\nincluding coordinating all efforts related to the analysis, valuation, marketing, and sale of failing or\n\n1\n  The Office of Management and Budget\xe2\x80\x99s (OMB) Memorandum M-03-22, OMB Guidance for Implementing the Privacy\n   Provisions of the E-Government Act of 2002, defines information in an identifiable form (IIF) as information in an\n   information system or an on-line collection that directly identifies an individual (e.g., name, address, Social Security\n   number (SSN), or other identifying code, telephone number, email address, etc.) or by which an agency intends to identify\n   specific individuals in conjunction with other data elements. OMB Memorandum M-06-19, Reporting Incidents Involving\n   Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology\n   Investments, introduces the term PII as a replacement for IIF. Our report uses the term PII to be consistent with more\n   recent OMB memoranda, such as OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n   Personally Identifiable Information, and National Institute of Standards and Technology (NIST) guidance.\n2\n  The E-Government Act requires an agency to take certain actions before developing or procuring information technology\n   that collects, maintains, or disseminates information that is in an identifiable form; or initiating a new collection of\n   information that will be collected, maintained, or disseminated using information technology; and includes any information\n   in an identifiable form permitting the physical or online contacting of a specific individual. These actions include\n   conducting, preparing, and generally making a PIA publicly available.\n33 A non-statistical sample is judgmental and, therefore, cannot be projected to the population.\n                                                                   I-3\n                                      KPMG LLP is a Delaware limited liability partnership,\n                                      the U.S. member firm of KPMG International Cooperative\n                                      (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cfailed institutions and associated assets such as residential mortgages, commercial loans, and other\nconsumer loans. For each collection selected, we assessed whether the FDIC conducted and publicly\nposted the associated PIAs and SORNs consistent with relevant Federal privacy-related provisions in\nSection 208, the Privacy Act, and OMB guidance. We also reviewed the 2 most recent SORNs created\nwithin the last 3 years from a population of 32 SORNs.4 The scope of the audit did not include an\nevaluation of access controls over PII collected and maintained by the FDIC as the Office of Inspector\nGeneral (OIG) planned to evaluate these controls as part of its annual independent security evaluation\nrequired by the Federal Information Security Management Act (FISMA) of 2002.\n\nOn June 30, 2011, we shared our preliminary results with representatives of the Division of\nInformation Technology (DIT), DRR, and Legal Division. In preparing our report, we considered\nfeedback received from these officials.\n\nWe concluded that, except as noted below, the FDIC\xe2\x80\x99s privacy program and practices for processing\nPIAs and SORNs were compliant with selected provisions of Section 522, Section 208, the Privacy\nAct, and OMB guidance. Among other things, the FDIC had appointed a Chief Privacy Officer (CPO)\nwith overall responsibility for the FDIC\xe2\x80\x99s privacy program and submitted annual privacy reports to\nOMB and the Congress as required by Section 522. Consistent with Section 208 and Privacy Act\nrequirements, the FDIC established processes for preparing PIAs and SORNs and making them\npublicly available and posted its privacy policies on the FDIC\xe2\x80\x99s public Web site. In addition, PIAs for\nfive of six PII collections sampled contained the required information regarding the FDIC\xe2\x80\x99s collection\nand use of PII. The one exception is described below. In addition, the two SORNs we sampled had\nbeen properly approved by FDIC management, published in the Federal Register, and addressed the\ncontent requirements of the Privacy Act. Further, the FDIC included the required legal disclosures,\nreferred to as a Privacy Act Statement, on all sampled DRR forms that collect PII from the public in\naccordance with the Privacy Act.\n\nWhile the above results are positive, we also found that for three of the six PII collections sampled, the\nPIAs were not made available to the public until after the FDIC began collecting the PII. Additionally,\nthe PIA covering one of six sampled PII collections did not fully describe (a) what information was\nbeing collected, (b) the purpose of the collection, or (c) how the information was secured.\n\nOur report includes recommendations intended to strengthen the Corporation\xe2\x80\x99s privacy program\npractices pertaining to PIAs and SORNs. Specifically, we are recommending that the CPO issue a\ncorporate-wide policy requiring PIAs to be completed before collecting, maintaining, or disseminating\nPII. We are also recommending that the FDIC develop strategies for (1) elevating, reporting, and\nresolving instances of non-compliance with privacy-related requirements and (2) identifying instances\nof new PII collections that occur outside of the traditional systems development lifecycle that might\nrequire a PIA.\n\nThe American Institute of Certified Public Accountants (AICPA) developed the Generally Accepted\nPrivacy Principles (GAPP) as a framework to help organizations proactively manage privacy risks.\nGAPP provides a set of recommended privacy practices to help organizations build effective privacy\nprograms. FDIC management has voluntarily adopted aspects from the 10 principles of GAPP and\nincorporated those principles and associated practices into the FDIC\xe2\x80\x99s Privacy Program Strategic\nFramework, dated August 11, 2008. We compared the FDIC\xe2\x80\x99s privacy monitoring activities to one\n\n4\n The prior 30 SORNs were created from 1975 to 2007. As these SORNs existed for a substantial amount of time prior to our\naudit, we did not select them for testing. We analyzed the more recent SORNS to obtain a more representative sample of the\nFDIC\xe2\x80\x99s current Privacy Act compliance practices. These two SORNs were FDIC-30-64-0032, Nationwide Mortgage Licensing\nSystem and Registry, and FDIC-30-64-0031, Online Ordering Request Records. They are publicly available at\nhttp://www.fdic.gov/regulations/laws/rules/2000-4050.html#fdictail.\n                                                            I-4\n\x0cGAPP principle, Monitoring and Enforcement, and the related criteria, controls, and procedures that\ncan be used by an organization to monitor compliance with its privacy policies and procedures. As the\nFDIC is not required by policy or statute to implement GAPP, we have separately communicated the\nresults of this comparison to the FDIC.\n\nWe conducted our performance audit in accordance with Generally Accepted Government Auditing\nStandards (GAGAS) issued by the Comptroller General of the United States. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit objective.\n\nWe tested the FDIC\xe2\x80\x99s privacy processes that were implemented as of May 10, 2011. We caution that\nprojecting the results of our audit to future periods is subject to the risks that controls may become\ninadequate because of changes in conditions or because compliance with controls may deteriorate.\n\nAppendix I provides the objective, scope, and methodology of this performance audit; Appendix II lists\nsignificant criteria; Appendix III provides a list of acronyms; and Appendix IV provides a glossary of\nterms.\n\nSincerely,\n\n\n\n\nSeptember 19, 2011\n\n\n\n\n                                                 I-5\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nBACKGROUND\nWhat is Privacy?\nThe concept of \xe2\x80\x9cprivacy\xe2\x80\x9d is one whose meaning differs depending on the individual, the culture, or the\ncontext of its use. From a legal perspective, \xe2\x80\x9cprivacy\xe2\x80\x9d means \xe2\x80\x9cthe right to be free of unnecessary public\nscrutiny or to be left alone.\xe2\x80\x9d5 Within the Federal Government, privacy refers to information about U.S.\ncitizens and their right to privacy. Within that context, privacy is defined as the ability of a person to\ncontrol the availability of information about them, especially information that may be used to uniquely\nidentify that individual. Protecting this information and ensuring each individual\xe2\x80\x99s right to privacy is\nfundamental to promoting trust in Government and ensuring the rights of the people.\n\nBalancing the need for protecting the privacy of U.S. citizens is the need for the U.S. Government to\ndeliver services to beneficiaries of Government programs efficiently. Information systems provide the\nU.S. Government significant capabilities to deliver these services and benefit programs efficiently.\nWithout the trust and confidence of the public to voluntarily share PII, most Government agencies could\nnot efficiently and effectively carry out their program\xe2\x80\x99s mission. The growth in the collection of PII\nreflects the essential need for Government agencies to use PII. In the 2009 FISMA report to the\nCongress,6 OMB reported that the number of Federal information systems collecting and processing PII\nincreased 31 percent from 2007 to 2009. Parallel with the increase in the collection of PII are media\nreports of identity theft and massive losses of PII records, such as an incident that occurred at a Federal\nagency where a lost laptop contained PII on 26 million veterans.\nPrivacy Information at the FDIC\nIn its capacity as the Receiver of failing or failed financial institutions, the FDIC collects significant\nquantities of PII from failing or failed financial institutions. Such information includes, for example,\nsensitive PII, such as names, addresses, SSNs, phone numbers, dates of birth, and account and loan data\nfor institution depositors, borrowers, and employees. The FDIC utilizes this sensitive PII in many\nresolution activities, such as paying depositor claims, valuing assets (e.g., loans) from failed institutions,\nand pursuing claims against individuals that contributed to the financial institution\xe2\x80\x99s failure.\n\nWith the significant increase in resolution and receivership activity in 2009 and 2010, the FDIC\ncontracted with third parties to perform many duties associated with closing financial institutions and\nselling acquired assets. To address the risks associated with vendors processing sensitive PII on the\nFDIC\xe2\x80\x99s behalf, the FDIC\xe2\x80\x99s Information Security and Privacy Staff (ISPS) began performing security and\nprivacy risk assessments for vendors that process significant amounts of sensitive bank customer data. As\npart of each vendor privacy risk assessment, ISPS completed a 51-question privacy assessment,\nconducted an interview with the vendors, and prepared a vendor assessment report. ISPS also reported\nthat it continued its practice of performing physical security walkthroughs in 2009 to identify unsecured\nPII.\n\n\n\n\n5\n    Nolo\xe2\x80\x99s Plain-English Law Dictionary.\n6\n    OMB\xe2\x80\x99s Fiscal Year 2009 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002\n     found at http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/FY09_FISMA.pdf.\n                                                               I-6\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nCharacteristics of a Privacy Program\nGovernment organizations must balance the implementation of                         Privacy Program\nmission objectives and business functions with risk.\nMaintaining this balance requires organizations to establish a\nprivacy program encompassing multiple facets, such as an\norganization\xe2\x80\x99s people, processes, and technology. The exhibit\nPrivacy Program depicts seven components of a privacy\nprogram found in leading organizations. An effective privacy\nprogram provides protection to information and information\nsystems from unauthorized access, use, or disclosure in order to\nmaintain the confidentiality of information. The confidentiality\nof information has a major impact on the operations and assets\nof an organization as well as the welfare of individuals.\n\n\nFederal Requirements for Privacy Programs\nThe passage of Section 522 in the Consolidated Appropriations\nAct of 2005 established the requirement that federal agencies\nimplement formal Privacy Programs.7 Prior to the passage of\nSection 522, many federal agencies divided implementation\nresponsibilities for the Privacy Act and the E-Government Act\nwith varying degrees of success. Congress recognized the need\nfor agencies to unify disparate activities under a single program\nto improve efficiency and effectiveness; and thus it established\nthe Privacy Program requirements in Section 522.                                 Source: KPMG analysis of Federal privacy legislation\n                                                                                 and OMB requirements.\nSection 522 requires the agency\xe2\x80\x99s CPO to have primary\nresponsibility for agency privacy and data protection policies. As part of that responsibility, the CPO\nmust assure that the agency\xe2\x80\x99s use of technology sustains privacy protections. The CPO must also prepare\nan annual report to the Congress on the activities that affect privacy, including complaints of privacy\nviolations, and implementation of related internal controls.8\n\n\nFDIC\xe2\x80\x99s Privacy Program and Chief Privacy Officer Roles and Responsibilities\nThe FDIC Chief Information Officer (CIO) serves as the CPO and reports directly to the FDIC Chairman.\nThe CPO is a statutorily-mandated position and serves as the Senior Agency Official for Privacy\nresponsible for establishing and implementing a wide range of privacy and data protection policies and\nprocedures pursuant to various legislative and regulatory requirements.           In executing these\nresponsibilities, the CPO collaborates and consults with the FDIC\xe2\x80\x99s Legal Division; the divisional\nInformation Security Managers; the Privacy Counterparts Committee; and individuals within the Division\nof Risk Management Supervision.9\n\n\n\n\n7\n  While Section 522 does not define \xe2\x80\x9cagency,\xe2\x80\x9d the FDIC determined that the better course would be to comply with this Section.\n8\n  Annually, the FDIC CPO prepares and submits responses to OMB\xe2\x80\x99s privacy questions as part of the Corporation\xe2\x80\x99s FISMA report to\n   OMB and the Congress. This annual submission satisfies Section 522 reporting requirements.\n9\n  During the audit period, the Division of Supervision and Consumer Protection changed their name to the Division of Risk\n   Management Supervision effective February 13, 2011 to recognize its new and enhanced responsibilities under the Dodd-Frank\n   Wall Street Reform and Consumer Protection Act.\n                                                              I-7\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nRESULTS OF AUDIT\nWe concluded that, excepted as noted later in the report, the FDIC\xe2\x80\x99s privacy program and practices for\nprocessing PIAs and SORNs were compliant with selected provisions of Section 522, Section 208, the\nPrivacy Act, and OMB guidance. Among other things, the FDIC had appointed a CPO with overall\nresponsibility for the FDIC\xe2\x80\x99s privacy program and submitted annual privacy reports to OMB and the\nCongress as required by Section 522. Consistent with Section 208 and Privacy Act requirements, the\nFDIC established processes for preparing PIAs and SORNs and making them publicly available and\nposted its privacy policies on the FDIC\xe2\x80\x99s public Web site. In addition, PIAs for five of six PII collections\nsampled contained the required information regarding the FDIC\xe2\x80\x99s collection and use of PII. The one\nexception is discussed later in the report. In addition, the two SORNs we sampled had been properly\napproved by FDIC management, published in the Federal Register, and addressed the content\nrequirements of the Privacy Act. Further, the FDIC included the required legal disclosures, referred to as\na Privacy Act Statement, on all sampled DRR forms that collect PII from the public in accordance with\nthe Privacy Act.\n\nWhile the above results are positive, we also found that for three of the six PII collections sampled, the\nPIAs were not made available to the public until after the FDIC began collecting the PII. Additionally,\nthe PIA covering one of six sampled collections of PII did not fully describe (a) what information was\nbeing collected, (b) the purpose of the collection, or (c) how the information was secured.\nSection 522 \xe2\x80\x93 Chief Privacy Officer, Policies, and Procedures\nSection 522 of the Consolidated Appropriations Act of 2005, re-codified to 42 U.S.C. \xc2\xa7 2000ee-2, is the\nmost recent addition to the privacy statutory landscape that governs the privacy practices of Federal\nagencies. This legislation expands on the foundation and framework laid by the Privacy Act and the\nE-Government Act by instituting programmatic level requirements and re-enforcing the provisions of\nprior legislation.\n\nSection 522 establishes two ongoing requirements for those Federal agencies that are bound by that\nSection. First, the agencies must appoint a CPO and delegate to that individual specific responsibilities\nrelated to privacy operations. Second, the agencies must establish comprehensive privacy and data\nprotection policies and procedures that are consistent with regulatory guidance, including the Privacy Act,\nE-Government Act, and OMB guidance.\n\nKPMG evaluated the FDIC\xe2\x80\x99s Privacy Program for compliance with selected Section 522 requirements.\nSpecifically, KPMG determined whether the FDIC appointed a CPO, assigned responsibilities to the CPO\nconsistent with the legislation, and developed policies and procedures to implement the Privacy Act and\nSection 208. For both the Privacy Act and E-Government Act, KPMG determined whether the FDIC\xe2\x80\x99s\nwritten policies and procedures addressed the legislative requirements of the Privacy Act, Section 208,\nand Section 522.\n\nIn March 2005, the FDIC appointed a senior official, the CIO, as the FDIC\xe2\x80\x99s CPO with overall\nresponsibility for the Corporation\xe2\x80\x99s Privacy Program. The FDIC also designated a Privacy Program\nManager to support the CPO in developing and implementing corporate privacy requirements. Through\nthe Privacy Program Office, the FDIC has instituted a mandatory, online annual privacy-training program\nfor all employees and all contractors who have access to the FDIC\xe2\x80\x99s internal network. Supplementing the\nannual privacy training are periodic email reminders from the FDIC CIO to safeguard sensitive\ninformation, including PII, and privacy awareness posters posted adjacent to shared printers and copiers.\nFurther, to promote the secure destruction of sensitive information, the FDIC has placed shred bins in\nhallways throughout the FDIC\xe2\x80\x99s Washington, D.C., and Virginia Square offices.\n\n                                                    I-8\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nSection 208 \xe2\x80\x93 Privacy Impact Assessments\nSection 208 includes requirements for Federal agencies to conduct PIAs prior to initiating a new\ncollection of PII or developing or procuring information technology (IT) systems or projects that collect,\nmaintain, or disseminate information in an identifiable form from or about members of the public, or\ninitiating, consistent with the Paperwork Reduction Act, a new electronic collection of information in an\nidentifiable form for 10 or more persons (excluding agencies, instrumentalities, or employees of the\nFederal Government). PIAs are required to be performed and updated as necessary where a system\nchange creates new privacy risks. Additionally, if practical, completed PIAs should be made publicly\navailable through the Web site of the agency, publication in the Federal Register, or other means. Section\n208 also requires that published PIAs describe, among other things, what information is to be collected,\nwhy the information is being collected, and the agency\xe2\x80\x99s intended use of the information. The FDIC has\ndetermined that the Corporation is subject to the above provisions of Section 208.\n\nOMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act, dated September 26, 2003, provides guidance for implementing provisions of Section\n208. Among other things, the OMB memorandum provides details on the required content of PIAs.10\nSpecifically, the memorandum states that agencies must conduct reviews of how information about\nindividuals is handled within their agency and that agencies must prepare PIAs, which describe the type\nof information to be collected (e.g., nature and source); why the information is being collected (e.g., to\ndetermine eligibility); and the intended use of the information (e.g., to verify existing data). OMB states\nthat Memorandum M-03-22 applies to agencies and their contractors that use IT or that operate Web sites\nfor purposes of interacting with the public.\n\nThe FDIC has established policies and procedures that require divisions and offices to complete a privacy\nquestionnaire, referred to as a Privacy Threshold Analysis (PTA), whenever new information systems11\nare developed or acquired. Specifically, the FDIC\xe2\x80\x99s procurement policy requires FDIC divisions and\noffices to complete PTAs when contracting for IT. The purpose of the PTA is to help the Privacy\nProgram Office determine whether the information system contains (a) public sensitive PII and is subject\nto Section 208\xe2\x80\x99s PIA requirement (external PIA) or (b) employee/contractor sensitive PII and is subject to\ninternal FDIC procedures for preparing PIAs (internal PIA). PTAs are submitted to, and analyzed by, the\nPrivacy Program Office.\n\nFor systems that are subject to Section 208 and/or FDIC internal procedures, the division or office\nsponsoring the IT project or acquisition must prepare a PIA. A single PIA may cover one or more PII\ncollections (see the following table for examples). The division or office is responsible for providing\ncompleted PIAs to the Privacy Program Office for review and approval. When a PIA for a system\ncontaining public sensitive PII is approved by the Privacy Program Office and CPO, the PIA is made\navailable to the public through a notice posted on the FDIC\xe2\x80\x99s public Web site.12 Additionally, PIAs for\nsystems containing employee/contractor sensitive PII are posted on FDIC\xe2\x80\x99s internal Privacy Program\nWeb site as a best practice. Both external and internal PIAs are approved by the CPO or designee.\nWe selected six collections of PII and assessed whether the associated PIAs (a) contained required\ninformation describing the FDIC\xe2\x80\x99s collection and use of the PII and (b) were completed and made\npublicly available before the FDIC began collecting the PII. We found that for five of the six collections,\nthe associated PIAs contained sufficient information regarding the collection or use of the PII. However,\n\n10\n   Section 208 delegates to the OMB Director the responsibility to develop specific implementation requirements for the provisions of\n   the legislation.\n11\n   The E-Government Act of 2002 defines an \xe2\x80\x9cinformation system\xe2\x80\x9d as a discrete set of information resources organized for the\n   collection, processing, maintenance, use, sharing, dissemination, or disposition of information. See 44 U.S.C. \xc2\xa7 3502(8). According\n   to the FDIC\xe2\x80\x99s PTA form, all technologies/systems should be initially reviewed for potential privacy impact.\n12\n   The availability of the FDIC\xe2\x80\x99s PIAs are posted at http://www.fdic.gov/about/privacy/assessments.html. Interested citizens may\n   request a specific PIA for review by email to privacy@fdic.gov.\n                                                                 I-9\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\ninformation regarding the collection and use of PII for the remaining collection was not sufficiently\ndescribed in the associated PIA. We also noted that the PIAs had not been completed and made publicly\navailable before the FDIC began collecting PII for three of the six collections. Notably, as described\nbelow, one of these three exceptions involved an information system established in 1997, which pre-dated\nthe requirement for conducting PIAs. As of May 10, 2011, the FDIC had taken action to make PIAs\ncovering all six PII collections publicly available. The table summarizes the PII collections that we\nselected and the results of our analysis. A more detailed discussion of the exceptions we found follows\nthe table.\n\nSummary Analysis of Section 208 Compliance for Selected Collections of PII\n                       PII Collection                       Associated PIA That       Did the PIA        Was the\n                                                             Addresses the PII          Contain        Information\n                                                                Collection            Information     Regarding the\n                                                                                     Regarding the    PII Collection\n                                                                                     Collection and      and Use\n                                                                                       Use of PII?     Available to\n                                                                                                        the Public\n                                                                                                        Prior to its\n                                                                                                       Collection?\n 1    Depositor claims for a closed financial               Claims Administration         Yes              Yes\n      institution.                                           System (CAS) PIA\n 2    Depositor liabilities information obtained from             CAS PIA                 Yes              Yes\n      failed institution information system during\n      Pre-close phase.\n 3    Professional liability claims against directors        DRR Locations and            Yes              Not\n      and officers of failed financial institutions.          Reporting System                         Applicable \xe2\x80\x93\n                                                              (DOLLARS) PIA                             Pre-2002*\n 4    Digital images of loan files for cash asset sales.    PIA for a confidential        Yes              No\n                                                              financial advisory\n                                                              firm\xe2\x80\x99s ShareVault\n                                                                   system\n 5    Loan file images maintained by DRR\xe2\x80\x99s Asset            PIA for a confidential        Yes              No\n      Marketing for the valuation of assets by third-       IT provider\xe2\x80\x99s Virtual\n      party asset valuation contractors.                     Data Room system\n 6    Persons of Interest (POI) collection maintained          DOLLARS PIA              In Part          In Part\n      by DRR\xe2\x80\x99s Investigations Unit.\nSource: KPMG analysis of the FDIC\xe2\x80\x99s procedures pertaining to the six selected PII collections as of May 10, 2011.\nThe Privacy Program Office identified the four PIAs referenced above as covering the six selected collections.\n* DOLLARS began processing PII in 1997, approximately 6 years before Section 208 required Federal agencies to\ncomplete PIAs and make them publicly available.\n\n\n\n\n                                                           I-10\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nTimeliness of PIAs\n\nWe identified the following three exceptions regarding the timeliness of PIAs.\n\n            Digital Images of Loan Files for Cash Asset Sales (ShareVault)\n            The FDIC, as Receiver for failed financial institutions, assumes the task of collecting and selling\n            assets from failed financial institutions. The FDIC contracted with a financial advisory firm that\n            specializes in conducting online auctions of loans from failed institutions to qualified bidders. On\n            behalf of the FDIC, the financial advisory firm utilized a proprietary system, called ShareVault,\n            to process and maintain digital images of loan files for cash sales to qualified bidders. These loan\n            files contained PII, such as SSNs, dates of birth, drivers\xe2\x80\x99 licenses, bank account numbers, tax\n            returns, credit reports, and employment information. DRR began collecting PII and using the\n            ShareVault system in October 2009 to market the assets from a failed financial institution. The\n            PIA was made publicly available on May 3, 2011, approximately 19 months after the FDIC began\n            collecting and storing PII in the ShareVault system.\n\n            Loan File Images Maintained by DRR\xe2\x80\x99s Asset Marketing for the Valuation of Assets by Third-\n            Party Asset Valuation Contractors (Virtual Data Rooms)\n            In its capacity as Receiver for failed financial institutions, the FDIC contracted with an IT\n            provider to provide a private data-sharing environment, called Virtual Data Rooms, to facilitate\n            the exchange of data between the FDIC and third parties. The FDIC utilized these Virtual Data\n            Rooms to market billions of dollars in assets. The Virtual Data Rooms contained significant\n            quantities of PII, such as borrower names, SSNs, dates of birth, and home addresses, in digital\n            loan files. Valuation contractors used the Virtual Data Rooms and accompanying digital loan\n            files to support Structured Asset Sales transactions by the FDIC.\n\n            The FDIC did not store PII in Virtual Data Rooms when it began using them in September 2000.\n            DRR officials had begun using Virtual Data Rooms to maintain PII in the fall of 2008. The PIA\n            associated with the Virtual Data Rooms was finalized and made publicly available on\n            May 10, 2011, approximately 30 months after the FDIC began collecting and storing PII in\n            Virtual Data Rooms.\n\n            Persons of Interest (POI) Collection Maintained by DRR\xe2\x80\x99s Investigations Unit\n            DRR maintains this PII collection in a password-protected Excel spreadsheet and uses it to track\n            directors, officers, mortgage brokers, real estate agents, appraisers, and others who are suspected\n            of contributing to the failure of financial institutions. Investigators access the spreadsheet when\n            screening potential FDIC employees and contractors. As of January 27, 2011, the spreadsheet\n            contained the names, SSNs, and dates of birth for approximately 4,600 individuals. According to\n            DRR officials, many of the individuals contained in the POI collection were not stored in\n            DOLLARS13 or any other FDIC information system as of January 2011. The investigators\n            indicated that they developed the spreadsheet because DOLLARS did not have the capability to\n            efficiently compare groups of potential FDIC employees and contractors against the names stored\n            in DOLLARS. This POI collection was initiated after the completion of the DOLLARS PIA. In\n            addition, the PIA had not been updated to include the new intended use, the new PII data type\n            collected (i.e., date of birth), or associated protections taken to secure the POI collection.\n\nSection 208 requires Federal agencies, including the FDIC, to conduct PIAs of information systems and\ncollections and, in general, make PIAs publicly available before\xe2\x80\x94\n\n13\n     The FDIC identified the DOLLARS PIA as covering the POI Collection Maintained by the DRR Investigations Unit.\n                                                              I-11\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\n\n            1. Developing or procuring IT that collects, maintains, or disseminates PII; or\n            2. Initiating a new collection of information that\xe2\x80\x94\n               a. will be collected, maintained, or disseminated using IT; and\n               b. includes any PII permitting the physical or online contacting of a specific individual, if\n                    identical questions have been posed to, or identical reporting requirements were imposed\n                    on, 10 or more persons, other than agencies, instrumentalities, or employees of the\n                    Federal Government.\n\nAdditionally, OMB Memorandum M-03-22 supplements Section 208 requirements for preparing and\nmaking a PIA publicly available and indicates that PIA requirements apply to \xe2\x80\x9cagencies and their\ncontractors that use information technology or that operate Web sites for purposes of interacting with the\npublic.\xe2\x80\x9d The FDIC formally assessed the PII collections in the financial advisor\xe2\x80\x99s ShareVault system and\nthe IT provider\xe2\x80\x99s Virtual Data Rooms using a PTA and determined that both systems were subject to\nSection 208 requirements and required a PIA. However, Privacy Program staff advised us that the PIA\nrequirements of Section 208 are not legally binding with respect to the ShareVault system and Virtual\nData Rooms because the systems provide an \xe2\x80\x9cinformation service\xe2\x80\x9d that does not meet the intent of\n\xe2\x80\x9cdeveloping or procuring information technology that collects, maintains, or disseminates PII\xe2\x80\x9d as\nreferenced in Section 208. Nevertheless, the officials did recognize privacy risks associated with these\nsystems and indicated that, as a best practice, the FDIC requires that PIAs be performed for all vendors\nmaintaining sensitive PII data on behalf of the Corporation.\n\nSeveral factors contributed to the conditions described above. Some of the factors were specific to the PII\ncollections and systems that we reviewed, while others were broader in nature.\n\n            Virtual Data Rooms\n            DRR officials began using Virtual Data Rooms to maintain PII in the fall of 2008, but did not\n            notify the Privacy Program Office of this change in business practice. The Privacy Program\n            Office identified the need for a PIA in February 2009 while conducting an internal assessment,\n            and subsequently communicated this need in a report to DRR management.14 DIT did not\n            identify the need for a PIA before 2009 because the storage of PII in Virtual Data Rooms did not\n            require a software modification and, therefore, was not subject to the FDIC\xe2\x80\x99s software\n            development process, called Rational Unified Process (RUP\xc2\xae). RUP\xc2\xae includes procedures for\n            ensuring that a PIA is developed whenever an application processes sensitive PII. DRR provided\n            the Privacy Program Office with a draft PIA on May 27, 2009. The PIA was approved and made\n            publicly available in May 2011.\n\n            The Office of the Inspector General (OIG) previously identified the need to complete a PIA for\n            Virtual Data Rooms and make it publicly available in its report on the Independent Evaluation of\n            the FDIC\xe2\x80\x99s Information Security Program\xe2\x80\x942009 (AUD-10-001), dated November 2009. The\n            report noted that DIT could help mitigate the risk of a similar situation recurring by emphasizing\n            in awareness and training materials the importance of consulting with the Privacy Program Office\n            before using PII in information systems. In response, DIT took actions in June 2010 by\n            developing additional privacy training.\n\n\n\n\n14\n     Privacy/Security Assessment of the Division of Resolutions and Receiverships\xe2\x80\x99 (DRR) Bank Resolution Pre-Closing Process, dated\n     April 23, 2009.\n                                                                 I-12\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\n             ShareVault System\n             DRR informally determined that a PIA was needed for the financial advisor\xe2\x80\x99s ShareVault system\n             in July 2009, which was 3 months before ShareVault began processing PII. According to a DRR\n             information security professional, due to higher-priority concerns with the ongoing crisis in the\n             banking sector, DRR did not prepare a PIA for the ShareVault system when it began processing\n             PII in October 2009. DRR provided a draft PIA to the Privacy Program Office in February 2010.\n             The PIA was approved and made publicly available in May 2011.\n\n             General Factors\n             With respect to contractor-operated information systems and/or services (such as the Virtual Data\n             Rooms and the ShareVault system), a Privacy Program staff member advised us that project\n             teams generally submit draft PIAs to the Privacy Program after (rather than before) the contract is\n             awarded and the vendor begins processing data on behalf of the FDIC. The FDIC does not have a\n             corporate-wide policy requiring FDIC divisions and offices to publish PIAs prior to the\n             implementation of a vendor-operated system or service. As previously stated, RUP\xc2\xae includes\n             procedures for ensuring that a PIA is developed for applications that process PII. However,\n             contractor-operated information systems and/or services are typically not subject to RUP\xc2\xae.\n\n             Privacy Program staff advised us that they were working to develop a corporate-wide policy15\n             that would describe the roles, responsibilities, and circumstances surrounding when PIAs are\n             required. This policy could include a requirement for divisions and offices to finalize PIAs\n             before FDIC or contractor-operated systems and/or services collect, maintain, or disseminate PII.\n             Such a requirement would be consistent with Section 208 requirements.\n\n             As of April 2011, the Privacy Program Office was tracking and working to address eight\n             additional information systems that were processing PII without a completed and publicly\n             available PIA.16 Although not required by statute or policy, the FDIC may find it beneficial to\n             develop a strategy for elevating, reporting, and resolving instances of non-compliance with\n             privacy-related requirements, including PIA requirements. Such a strategy, which could be\n             referenced in the corporate-wide policy discussed above, would help focus management attention\n             on the need for prompt action in resolving instances of non-compliance with privacy\n             requirements when competing priorities exist. It may also help mitigate delays in completing\n             PIAs, such as those experienced with the financial advisor\xe2\x80\x99s ShareVault system and the IT\n             provider\xe2\x80\x99s Virtual Data Rooms.\n\nPIAs are intended to promote the public trust through increased transparency and assurances that personal\ninformation maintained by or for a Federal agency is protected. When PIAs are not completed and made\navailable to the public in a timely manner, it reduces the FDIC\xe2\x80\x99s assurance that it had performed the\nnecessary risk assessment and informed the public, in a timely manner, of the FDIC\xe2\x80\x99s collection and use\nof the information.\n\n\n\n\n15\n     Draft FDIC Circular, entitled Privacy Impact Assessment Requirements.\n16\n     These systems were not part of our sample. Six of the eight systems involved applications dealing with secure email, email archival\n     solutions, voicemail, and other communication technologies with the public. The Privacy Program staff are evaluating alternatives\n     for presenting the information for these six systems to either the public or employees. For the remaining two systems involving\n     public PII, the PIAs are expected to be completed by year-end according to Privacy Program staff.\n                                                                  I-13\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nRecommendations\n\nWe recommend that the CPO:\n\n    1. Finalize and issue the draft corporate policy on PIA requirements and include clarifying language\n       in the policy that requires PIAs to be completed and publicly available before collecting,\n       maintaining, or disseminating PII.\n\n    2. Enhance Privacy Program controls by defining a strategy for elevating and reporting instances of\n       non-compliance with relevant Federal privacy requirements to appropriate senior management\n       officials who are in a position to ensure they are promptly and effectively resolved.\n\nContent of PIAs\n\nPIAs for five of the six PII collections that we reviewed described the FDIC\xe2\x80\x99s collection and use of PII\nand identified the associated SORN. However, the PIA for the remaining collection\xe2\x80\x94POI Collection\nmaintained by the DRR Investigations Unit\xe2\x80\x94did not fully describe (a) what information was being\ncollected, (b) the purpose of the collection, or (c) how the information was secured. The FDIC identified\nthe DOLLARS PIA as covering the POI Collection maintained by the DRR Investigations Unit. The POI\nCollection maintained by the DRR Investigations Unit resides in a password-protected Excel spreadsheet\nthat was developed by DRR investigators to track directors, officers, mortgage brokers, real estate agents,\nappraisers, and others suspected of contributing to the failure of financial institutions. Investigators\naccess the spreadsheet when screening potential FDIC employees and contractors. The investigators\nadvised us that, as of January 2011, the POI collection contained specific PII information that was not in\nDOLLARS or any other FDIC information system. As of January 2011, the spreadsheet contained the\nnames, SSNs, and dates of birth for approximately 4,600 individuals.\n\nSection 208 requires that published PIAs describe, among other things, what information is to be\ncollected, why the information is being collected, and the agency\xe2\x80\x99s intended use of the information.\nOMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\nE-Government Act, provides detailed information regarding the required content of PIAs. The OMB\nmemorandum states that PIAs must analyze and describe the type of information to be collected (e.g.,\nnature and source), why the information is being collected (e.g., to determine eligibility), and the intended\nuse of the information (e.g., to verify existing data).\n\nThe Privacy Program Office did not identify the need to update the DOLLARS PIA for the POI\nCollection because DRR officials did not identify the POI spreadsheet as a new collection of PII.\nAdditionally, the spreadsheet was not subject to the RUP\xc2\xae software development process and the\nassociated analysis for potential privacy requirements.\n\nFDIC officials advised us that employees and contractors often create spreadsheets and databases using\ndata from FDIC information systems for the purpose of facilitating analysis. Such spreadsheets are\ngenerally covered by existing PIAs. However, in the case of the spreadsheet described above, the data\nwas not derived from another FDIC information system. Rather, it was derived from failed financial\ninstitution files, and the PII collection was not covered by an existing PIA.\n\nWe recognize that it is not cost-beneficial to conduct a review of every spreadsheet or database that an\nFDIC employee or contractor creates to determine whether a PIA is required. However, the FDIC could\nbenefit from developing a strategy to help identify and address instances of new PII collections that occur\noutside of the traditional systems development life cycle that might require a PIA. Such a strategy could\n                                                    I-14\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nconsist of increased emphasis in the FDIC\xe2\x80\x99s annual privacy awareness materials regarding the importance\nof contacting the Privacy Program Office when creating new PII collections, conducting periodic reviews\nto identify such collections, and/or enhancing the Privacy Program Office\xe2\x80\x99s ongoing monitoring activities\nto help identify data collections outside of the systems development life cycle.\n\nAbsent an update to the DOLLARS PIA that addresses information related to the POI Collection by the\nDRR Investigations Unit, the FDIC has reduced assurance that it has adequately assessed the risk of\ncollecting, monitoring, and using the information and informed the public, in a timely manner, of the\nFDIC\xe2\x80\x99s collection and use of the information.\n\nSubsequent to sharing our preliminary audit results with the FDIC on June 30, 2011, the Privacy Program\nOffice revised the DOLLARS PIA to incorporate the POI Collection maintained by the DRR\nInvestigations Unit and made it publicly available on July 25, 2011. We are, therefore, making no\nrecommendation regarding the need for a PIA for this PII collection.\n\nRecommendation\n\nWe recommend that the CPO:\n\n    3. Develop a strategy to help identify and address instances of new PII collections that occur outside\n       of the traditional systems development life cycle that might require a PIA.\n\n\n\n\n                                                  I-15\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011\n\nPrivacy Act - System of Records Notices\n\nThe Privacy Act includes requirements for Federal agencies, including the FDIC, to inform the public of\nthe existence of systems of records that contain PII and to \xe2\x80\x9cestablish appropriate administrative, technical\nand physical safeguards to insure the security and confidentiality of records.\xe2\x80\x9d17 For the purposes of the\nPrivacy Act, a system of records is \xe2\x80\x9ca group of any records under the control of any agency from which\ninformation is retrieved by the name of the individual or by some identifying number, symbol, or other\nidentifying particular assigned to the individual.\xe2\x80\x9d18\n\nThe Privacy Act also requires that agencies publish a notice \xe2\x80\x9cupon the establishment or revision\xe2\x80\x9d of a\nsystem of records. OMB has determined that the notice must be published before the system or records\nbecomes \xe2\x80\x9coperational.\xe2\x80\x9d OMB\xe2\x80\x99s original interpretation of \xe2\x80\x9coperational\xe2\x80\x9d meant, \xe2\x80\x9cBefore any information\nabout individuals is collected.\xe2\x80\x9d In 1996, OMB clarified that interpretation so that it applies to the\ncollection and use of the information. Additionally, if the agency is publishing a new \xe2\x80\x9croutine use\xe2\x80\x9d of the\ninformation in the system or records, the notice must be published at least 30 days before the release of\nthe information.\xe2\x80\x9d19 At the FDIC, SORNs are published after authorization by the Board of Directors.\n\nWe selected two SORNs published by the FDIC in the Federal Register to determine whether the SORNs\n(a) had been approved by the FDIC\xe2\x80\x99s Board of Directors, (b) were published in the Federal Register at\nleast 30 days prior to the collection and use of PII, and (c) satisfied the content requirements defined in\nthe Privacy Act.20 These two SORNs were FDIC-30-64-0032, Nationwide Mortgage Licensing System\nand Registry, published on March 21, 2011; and FDIC-30-64-0031, Online Ordering Request Records,\npublished on October 26, 2009.\n\nWe determined that the Board had approved the SORNs for both systems prior to being published in the\nFederal Register and that the SORNS were published with appropriate notice and addressed the content\nrequirements of the Privacy Act.\n\n\n\n\n17\n   The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a(e)(10).\n18\n   The Privacy Act of 1974, 5 U.S.C. \xc2\xa7 552a(a)(5).\n19\n   See id., \xc2\xa7 552a(e)(4) and (e)(11), and OMB\xe2\x80\x99s Privacy Act Guidelines (published July 9, 1975) as well as Appendix I, Federal\n   Agency Responsibilities for Maintaining Records About Individuals to OMB Circular No. A-130 (published February 20, 1996).\n20\n   KPMG assessed the nine required elements of a SORN: 1) system location and name; 2) categories of individuals covered by the\n   system; 3) categories of records in the system; 4) purpose and routine uses of records maintained; 5) policies and practices for\n   storing, retrieving, accessing, retaining, and disposing of records in the system; 6) system manager and address; 7) notification and\n   records access procedure; 8) contesting record procedure; and 9) record source categories. Federal Register, Vol. 74, (October 26,\n   2009).\n                                                                 I-16\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                                     Appendix I\n\nAPPENDIX I \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\nObjective\nThe audit objective was to assess the FDIC\xe2\x80\x99s privacy program and practices. Specifically, the audit\nincluded an assessment of the FDIC\xe2\x80\x99s compliance with the following:\n\n       (a) Section 208 of the E-Government Act of 2002 (Section 208) as it relates to performing PIAs,\n       (b) Provisions of the Privacy Act of 1974 (Privacy Act) related to SORNs and privacy policy\n           disclosures,\n       (c) Section 522 requirements for establishing a privacy program and supporting privacy policies, and\n       (d) Related privacy guidance established by OMB for SORNs and PIAs.\n\n\nScope\nAs required by our task assignment with the FDIC OIG, KPMG evaluated the FDIC\xe2\x80\x99s compliance with\nFederal privacy-related statutes and other criteria agreed upon with the OIG. KPMG completed a formal\nanalysis of Federal privacy-related statutes and relevant FDIC policy to identify areas that KPMG would\nuse to assess the FDIC\'s compliance with Section 522, the Privacy Act of 1974, Section 208 of the\nE-Government Act, and OMB Memorandum M-03-22 OMB Guidance for Implementing the Privacy\nProvisions of the E-Government Act of 2002 (OMB M-03-22).\n\nBased on the analysis of privacy criteria, the scope of the audit focused exclusively on the following areas\nlisted below:\n\n       1.    Establishment of a Privacy Program\n       2.    Policies and Procedures for Privacy\n       3.    System of Record Notices (SORNs)\n       4.    Privacy Impact Assessments (PIAs)\n       5.    Privacy Policy Disclosure\n       6.    Privacy Act Statements\n\nKPMG selected the above areas for testing as Section 522 makes multiple references to the Privacy Act of\n1974, Section 208, and OMB M-03-22. KPMG prioritized its testing to determine compliance with key\nprovisions of Section 522, Privacy Act, E-Government Act and/or OMB regulations. The audit did not\ninclude an evaluation of access controls over PII collected and maintained by the FDIC as the OIG\nplanned to evaluate these controls as part of its annual FISMA audit.\n\nOur audit included a non-statistical21 selection of six collections of PII pertaining to business processes\nwithin DRR. For each collection, we assessed whether the FDIC conducted and publicly posted the\nassociated PIAs and SORNs consistent with relevant Federal privacy-related requirements in Section 208,\nthe Privacy Act, and OMB guidance. We also analyzed the two most recent SORNs created within the\nlast 3 years from a population of 32 SORNs.\n\nThe AICPA developed the GAPP as a framework to help organizations proactively manage privacy risks.\nGAPP provides a set of recommended privacy practices to help organizations build effective privacy\nprograms. The FDIC\xe2\x80\x99s Privacy Program has voluntarily adopted aspects from the 10 principles of GAPP\nand incorporated those principles and associated practices into the FDIC\xe2\x80\x99s Privacy Program Strategic\nFramework, dated August 11, 2008. We compared the FDIC\xe2\x80\x99s monitoring activities to one GAPP\nprinciple, Monitoring and Enforcement, and the related criteria, controls, and procedures that can be used\n\n21\n     A non- statistical sample is judgmental and, therefore, cannot be projected to the population.\n                                                                     I-17\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                           Appendix I\n\nby an organization to monitor compliance with its privacy policies and procedures. As the FDIC is not\nrequired by policy or statute to implement GAPP, we have separately communicated the results of this\nanalysis to the FDIC.\n\nKPMG did not perform procedures to determine the validity or reliability of computer-based data. In\ngeneral, electronic or computer data was not critical to satisfy the audit objective. KPMG conducted\nalternative procedures through interviews of application owners to determine the presence of PII data and\nthe status of privacy initiatives. In addition, KPMG\xe2\x80\x99s assessments of the FDIC\xe2\x80\x99s management controls\nand compliance with laws and regulations were limited to those related to privacy, particularly those\ndealing with agency privacy-management requirements. Further, KPMG did not design tests to detect\nfraud, waste, abuse, and mismanagement. However, throughout the audit, KPMG was sensitive to the\npotential for fraud, waste, abuse, and mismanagement.\nMethodology\nIn consultation with the FDIC OIG, we developed an audit approach based on our review of privacy\nlegislative requirements and FDIC policies, procedures, and guidelines. The audit approach included the\nevaluation of a selection of internal control activities supporting compliance with legal requirements\n(Privacy Act, E-Government Act, Section 522, and OMB guidance). We considered risks, results of\ninternal reviews, Government-wide and FDIC goals, the maturity of the privacy program, and other\nfactors in making our selection. We evaluated the selected activities for a subset of collections of PII\nidentified through review of FDIC business processes. We conducted interviews with appropriate FDIC\npersonnel to obtain an understanding of each privacy control activity within the scope of the audit.\nAdditionally, we reviewed FDIC documentation applicable to privacy, including FDIC directives, DIT\ninternal policies, and the FDIC\xe2\x80\x99s Privacy Program Strategic Framework describing the FDIC\xe2\x80\x99s risk\nmanagement framework and internal control activities. The Results of Audit section of this report\npresents the results of our review of these activities.\n\nThis audit did not assess controls at depository institutions, insured or regulated by the FDIC, that\nroutinely provide financial information to the Corporation. We performed the audit at the FDIC\xe2\x80\x99s offices\nin Arlington, Virginia, from December 6, 2010 to June 30, 2011, and tested controls that were\nimplemented as of May 10, 2011 for the six sampled collections of PII and two sampled SORNs.\nThroughout the audit, we met with FDIC management to discuss preliminary observations.\n\nKPMG conducted this performance audit in accordance with GAGAS issued by the Comptroller General\nof the United States. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence that provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                                  I-18\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                               Appendix II\n\nAPPENDIX II \xe2\x80\x93 SIGNIFICANT CRITERIA\n\nApplicable Statutory Privacy Criteria\n\nThe Privacy Act of 1974 imposes various requirements for Federal agencies whenever they collect,\ncreate, maintain, and distribute records (as defined in the Act, and regardless of whether they are in\nhardcopy or electronic format) that can be retrieved by the name of an individual or other identifier. One\nsuch requirement is to establish appropriate administrative, technical, and physical safeguards to ensure\nthe security and confidentiality of records and to protect against any anticipated threats or hazards to their\nsecurity or integrity, which could result in substantial harm, embarrassment, inconvenience, or unfairness\nto any individual about whom information is maintained. Another requirement is that when collecting\ninformation from individuals, the agency is to include on the form a Privacy Act Statement which\nindicates the authority for soliciting the information, the intended purpose(s) and routine uses of the\ninformation, whether disclosure is required and the effect of not providing the information. As a Federal\nagency, the FDIC is subject to the requirements of the Act. The Act can be located at\nhttp://www.usdoj.gov/oip/privstat.htm.\n\nConsolidated Appropriations Act of 2005, Division H, Section 522 (now 42 U.S.C. \xc2\xa7 2000ee-2)\nEnacted in December 2004, section 522 directs agencies, including the FDIC, to implement a number of\nmeasures to protect IIF. Such measures include:\n\n        x   Appointing a CPO to assume primary responsibility for agency privacy and data protection\n            policy.\n        x   Establishing and implementing comprehensive privacy and data protection procedures\n            governing the collection, use, sharing, disclosure, transfer, storage, and security of IIF\n            relating to agency employees and the public. Such procedures are to be consistent with legal\n            and regulatory guidance, including OMB regulations; the Privacy Act of 1974; and section\n            208 of the E-Government Act of 2002.\n        x   Preparing a written report, signed by the CPO, that provides a benchmark for the agency\xe2\x80\x99s\n            privacy program and describes the agency\xe2\x80\x99s use of IIF, along with its privacy and data\n            protection policies and procedures. The report is to be recorded with the agency Inspector\n            General.\n        x   Preparing an annual report to Congress on the activities of the Department that affect privacy,\n            including complaints of privacy violations, implementation of the Privacy Act, internal\n            controls, and other relevant matters.\n\nSection 522 also requires the Inspector General of each agency to periodically conduct a review of the\nagency\'s implementation of Section 522 requirements and report the results of its review to Congress.\nThe Inspector General may contract with an independent, third party organization to conduct the review.\n\nE-Government Act of 2002, Section 208. This Act seeks to promote electronic Government services\nand to enhance access to Government information consistent with laws regarding personal privacy.\nSection 208 is intended to protect personal information by requiring agencies to (1) conduct PIAs of\ninformation systems and collections and, in general, make PIAs publicly available; and (2) report\nannually to the OMB on compliance with Section 208. The FDIC has determined that it is subject to the\nrequirements of this provision. The Act also requires the Director, OMB, to draft guidelines regarding\n(1) agency posting of privacy policies on agency Web sites used by the public; and (2) translate privacy\npolicies into a machine-readable format.\n\n\n                                                    I-19\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                            Appendix II\n\nApplicable Privacy-Related OMB Guidance\n\nOMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act\nof 2002. The Guidance provides detailed guidance to agencies on how to implement section 208 of the\nE-Government Act, see above. This memorandum provides definitions and explains when PIAs are or\nare not required, the manner in which PIAs are conducted, and their relationship with the Paperwork\nReduction Act and the Privacy Act. The memorandum contains requirements for the agency Web site,\nspecifically regarding privacy policies and persistent tracking technologies ("cookies"). Other provisions\naddress privacy policies in machine-readable formats, responsibilities of agency officials, and reporting\nrequirements. To the extent that the provisions of this memorandum are legally binding on the FDIC, the\nFDIC has taken steps to implement those provisions or has otherwise taken them into account. This\nmemorandum replaces OMB memoranda 99-18, Privacy Policies on Federal Web Sites, and 00-13,\nPrivacy Policies and Data Collection on Federal Web Sites. The memorandum can be located at\nhttp://www.whitehouse.gov/omb/memoranda/m03-22.html.\n\nOMB Circular No. A-130, Management of Federal Information Resources . The circular establishes\npolicy for the management of Federal information technology. The circular contains two relevant\nappendixes:\n\nAppendix I, Federal Agency Responsibilities for Maintaining Records about Individuals, describes\nagency responsibilities for implementing the reporting and publication requirements of the Privacy Act of\n1974. The FDIC has determined that OMB Circular No. A-130, Appendix I, applies to the Corporation.\n\nSubsequent OMB policy provides additional information regarding agency responsibilities for\ndesignating a senior agency official for privacy, conducting PIAs, developing privacy policies for Web\nsites, providing privacy education to employees and contractor personnel, and reporting privacy activities.\n\nAppendix III, Security of Federal Automated Information Resources, requires agencies to establish\ncontrols to assure adequate security for all information processed, transmitted, or stored in Federal\nautomated information systems. OMB A-130 Appendix III defines adequate security as security\ncommensurate with the risk and magnitude of harm resulting from the loss; misuse; or unauthorized\naccess to, or modification of, information. Most of the circular\xe2\x80\x99s provisions are legally binding on the\nFDIC.\n\nThe circular can be located at http://www.whitehouse.gov/omb/circulars/a130/a130trans4.pdf.\n\n\nApplicable FDIC Policy regarding Privacy\n\nFDIC Rules and Regulations. Parts 309 and 310, Disclosure of Information, sets forth the basic policies\nof the FDIC regarding the information it maintains and the procedures for obtaining access to such\ninformation. Part 310, Privacy Act Regulations, establishes regulations implementing the Privacy Act by\ndelineating the procedures that an individual must follow in exercising his or her access or amendment\nrights under the Privacy Act to records maintained by the Corporation in systems of record. FDIC Rules\nand Regulations Parts 309 and 310 can be located at:\nhttp://www.fdic.gov/regulations/laws/rules/2000-3800.html.\n\n\n\n\n                                                   I-20\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                          Appendix II\n\nFDIC Circular 1031.1, Administration of the Privacy Act, establishes requirements for the collection,\nmaintenance, use, and dissemination of records subject to the Privacy Act of 1974.\n\nFDIC Circular 1360.9, Protecting Sensitive Information, implements aspects of the Privacy Act and\nrequires FDIC employees and contractors to follow the FDIC\xe2\x80\x99s \xe2\x80\x9cProcedures for Responding to Breach of\nPersonally Identifiable Information.\xe2\x80\x9d\n\nFDIC Circular 1310.3, Information Technology Security Risk Management Program, establishes\nguidance for managing risks to general support systems and sensitive applications and protecting the\nconfidentiality, integrity, and availability of the sensitive data that the systems process.\n\nFDIC RUP\xc2\xae, establishes standardized procedures covering the development lifecycle of FDIC\napplication and IT systems. RUP\xc2\xae is a collected body of software engineering practices that are\ncontinually improved on a regular basis to reflect changes in industry practices.\n\nDRR Circular 7100.2, Maintenance and Protection of Bank Employee and Customer Personally\nIdentifiable Information, establishes DRR policies and guidelines for the protection and safeguarding of\nconfidential and/or sensitive personally identifiable bank employee and customer information.\n\n\nOther Relevant Privacy Guidance\n\nThe Government Accountability Office\xe2\x80\x99s Standards for Internal Control in the Federal Government,\nNovember 1, 1999. The publication provides an overall framework for establishing and maintaining\ninternal control and for identifying and addressing major performance management challenges and areas\nat great risk of fraud, waste, abuse and mismanagement. This publication builds upon prior internal\ncontrol guidance from the Committee of Sponsoring Organizations of the Treadway Commission\n(COSO). This publication is relevant as it provides a broad framework to evaluate FDIC\xe2\x80\x99s Privacy\nProgram. This document maybe found at (http://www.gao.gov/products/AIMD-00-21.3.1).\n\nOMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, requests that\nagencies designate a senior official for privacy.     The memorandum can be located at\nhttp://www.whitehouse.gov/omb/memoranda/fy2005/m05-08.pdf.\n\n\n\n\n                                                 I-21\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                       Appendix III\n\nAPPENDIX III \xe2\x80\x93 LIST OF ACRONYMS\n Acronym   Definition                                         Acronym   Definition\n           American Institute of Certified Public             Section   Section 208 of the E-Government Act of\n AICPA\n           Accountants                                        208       2002\n CAS       Claims Administration System                       SORN      System of Records Notice\n\n CIO       Chief Information Officer                          SSN       Social Security Number\n\n CPO       Chief Privacy Officer                              U.S.C.    United States Code\n\n DIT       Division of Information Technology\n\n DOLLARS   DRR Locations and Reporting System\n\n DRR       Division of Resolutions and Receivership\n\n FDIC      Federal Deposit Insurance Corporation\n\n FISMA     Federal Information Security Management Act\n           Generally Accepted Government Auditing\n GAGAS\n           Standards\n GAPP      Generally Accepted Privacy Principles\n\n IIF       Information in an Identifiable Form\n\n ISM       Information Security Manager\n\n ISPS      Information Security and Privacy Staff\n\n IT        Information Technology\n\n KPMG      KPMG LLP\n\n NIST      National Institute of Standards and Technology\n\n OIG       Office of Inspector General\n\n OMB       Office of Management and Budget\n\n PIA       Privacy Impact Assessment\n\n PII       Personally Identifiable Information\n\n POI       Persons of Interest\n\n PTA       Privacy Threshold Analysis\n\n RUP\xc2\xae      Rational Unified Process\n Section   Section 522 of Division H of the Consolidation\n 522       Appropriations Act of 2005, as amended\n\n\n\n\n                                                       I-22\n\x0cKPMG\xe2\x80\x99s Audit of the FDIC\xe2\x80\x99s Privacy Program \xe2\x80\x93 2011                                  Appendix IV\n\n\nAPPENDIX IV \xe2\x80\x93 GLOSSARY OF TERMS\n\nTerm             Definition\nInformation in   OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy\nIdentifiable     Provisions of the E-Government Act of 2002, defines IIF as information in an\nForm (IIF)       information system or an on-line collection that directly identifies an\n                 individual (e.g., name, address, SSN, or other identifying code, telephone\n                 number, email address, etc.) or by which an agency intends to identify\n                 specific individuals in conjunction with other data elements.\n\n                 OMB Memorandum M-06-19, Reporting Incidents Involving Personally\n                 Identifiable Information and Incorporating the Cost for Security in Agency\n                 Information Technology Investments, introduced the term PII as a\n                 replacement for IIF.\nInformation      ISMs work together with FDIC security and privacy staff to educate\nSecurity         employees and contractors who have access to corporate systems and data.\nManagers         ISMs are responsible for providing guidance to management officials\n(ISMs)           regarding the Corporation\xe2\x80\x99s security mission, awareness, priorities and\n                 implementation approaches. They ensure the full implementation of the risk\n                 management program, including: assessing application security levels,\n                 preparing risk assessment reports, planning security requirements in new and\n                 enhanced systems, overseeing security plans and related Plans of Action and\n                 Milestones, and facilitating the successful completion of the certification and\n                 accreditation process. ISMs are also responsible for promoting awareness\n                 and compliance with FDIC security policies and procedures, legal mandates,\n                 accepted audit recommendations, and annual corporate and application-\n                 specific training.\nPersonally       FDIC Circular 1360.9, Protecting Sensitive Information, which references\nIdentifiable     OMB Memorandum M-06-19, defines PII as any information about an\nInformation      individual maintained by the FDIC that can be used to distinguish or trace\n(PII)            that individual\xe2\x80\x99s identity, such as their full name, home address, email\n                 address (non-work), telephone numbers (non-work), SSN, driver\xe2\x80\x99s\n                 license/state identification number, employee identification number, date and\n                 place of birth, mother\xe2\x80\x99s maiden name, photograph, biometric records (e.g.,\n                 fingerprint, voice print), etc. This also includes, but is not limited to,\n                 education, financial information (e.g., account number, access or security\n                 code, password, personal identification number); medical information;\n                 investigation report or database; criminal or employment history or\n                 information; or any other personal information that is linked or linkable to an\n                 individual.\nStructured       A structured asset sale transaction is the sale of a portfolio of assets owned by\nAsset Sale       the FDIC or in its capacity as Receiver (i.e., the Seller). The transaction\nTransaction      could involve the sale of any type of asset, but it usually involves owned real\n                 estate and/or commercial and multi-family non-performing mortgage loans.\n                 (Note, occasionally performing loans are included in the portfolio.) DRR\n                 coordinates the transaction from start to finish. DRR may secure a Financial\n                 Advisor who develops a plan to market the pool of assets and packages them\n                 in the most attractive form for investors.\n\n\n\n\n                                            I-23\n\x0c                 Part II\n\nManagement\xe2\x80\x99s Comments and OIG Evaluation\n\x0cMANAGEMENT\xe2\x80\x99S COMMENTS AND OIG EVALUATION\n\nOn September 12, 2011, the FDIC\xe2\x80\x99s CIO, who also serves as the Director, DIT, and CPO,\nprovided a written response to a draft of this report. The response is presented in its\nentirety beginning on the next page. Management concurred with KPMG\xe2\x80\x99s three\nrecommendations, and the planned actions are sufficient to resolve all of them.\n\nIn response to the recommendations, DIT expects to finalize and issue corporate policy\nthat includes a requirement for PIAs to be completed and publicly available before\ncollecting, maintaining, and disseminating PII. DIT also plans to develop strategies for\n(1) elevating and reporting instances of non-compliance with privacy-related\nrequirements to appropriate senior management officials who are in a position to ensure\nthey are promptly and effectively resolved and (2) identifying and addressing instances of\nnew PII collections that occur outside of the traditional systems development life cycle\nthat might require a PIA. DIT expects to complete these actions by December 30, 2011.\nA summary of management\xe2\x80\x99s response to the recommendations is on page II-4.\n\n\n\n\n                                           II-1\n\x0c                          Corporation Comments\n        _________________________________________________________\n\n\n\n\n    Federal Deposit Insurance Corporation\n    3501 Fairfax Drive, Arlington, VA 22226-3500                                     Division of Information Technology\n\n\n                                                                                      September 12, 2011\n\n    TO:                 Mark Mulholland\n                        Assistant Inspector General for Audits\n\n                       /Signed/\n    FROM:              Russell G. Pittman\n                       Chief Information Officer,\n                       Director, Division of Information Technology, and\n                       Chief Privacy Office\n\n    SUBJECT:           Management Response to the Draft KPMG LLP Audit Report Entitled,\n                       The FDIC\'s Privacy Program - 2011 (Assignment No. 2011-011)\n\n    This memorandum is in response to the subject draft Office of Inspector General (OIG) report,\n    issued August 12, 2011, and performed by KPMG LLP. We appreciate and agree with the\n    OIG/KPMG audit team\xe2\x80\x99s observations that the FDIC had properly:\n\n    \xef\x82\xb7       Appointed a Chief Privacy Officer (CPO) with overall responsibility for the FDIC\xe2\x80\x99s privacy\n            program and submitted annual privacy reports to OMB and Congress as required by Section\n            522 in the Consolidated Appropriations Act of 2005;\n    \xef\x82\xb7       Established processes for preparing Privacy Impact Assessments (PIAs) and System of\n            Records Notices (SORNs) and making them publicly available\n    \xef\x82\xb7       Posted its privacy policies on the FDIC\xe2\x80\x99s public Web site consistent with Section 208 of the\n            E-Government Act of 2002 and Privacy Act of 1974 requirements;\n    \xef\x82\xb7       Approved the two SORNs sampled, published them in the Federal Register, and addressed\n            the content requirements of the Privacy Act; and further,\n    \xef\x82\xb7       Included the required legal disclosures, referred to as a Privacy Act Statement, on all sampled\n            Division of Resolutions and Receiverships forms that collect Personally Identifiable\n            Information (PII) from the public in accordance with the Privacy Act.\n\n    Based on the overall results of the audit, the Division of Information Technology (DIT) agrees\n    with all three of the recommended steps to further strengthen FDIC\xe2\x80\x99s privacy program practices.\n    This response outlines DIT\xe2\x80\x99s planned corrective actions for each of the recommendations.\n\n.\n\n\n\n\n                                                       II-2\n\x0cII-3\n\x0c                 SUMMARY OF MANAGEMENT\xe2\x80\x99S COMMENTS ON THE\n                            RECOMMENDATIONS\n\nThis table presents management\xe2\x80\x99s response to the recommendations in the report and the\nstatus of the recommendations as of the date of report issuance.\n\n                 Corrective Action: Taken or             Expected        Monetary       Resolved:a       Open\n                           Planned                      Completion       Benefits       Yes or No         or\nRec. No.                                                   Date                                         Closedb\n   1.          The FDIC will finalize and issue          Dec. 30,           N/A             Yes         Open\n               the current draft circular,                 2011\n               Implementation of the Privacy\n               Provisions of the E-Government\n               Act of 2002. The final policy will\n               incorporate clarifying language\n               that requires PIAs to be\n               completed and publicly available\n               before collecting, maintaining, or\n               disseminating PII.\n\n\n      2.       Instances of noncompliance with            Dec. 30,          N/A             Yes         Open\n               relevant Federal privacy                    2011\n               requirements will be escalated to\n               the Chief Information Security\n               Officer and/or CPO for action\n               with the appropriate senior\n               management. This strategy will\n               be documented in an internal\n               privacy program memorandum.\n\n\n      3.       The FDIC\xe2\x80\x99s current draft circular,         Dec. 30,          N/A             Yes         Open\n               Implementation of the Privacy               2011\n               Provisions of the E-Government\n               Act of 2002, will be updated to\n               include a strategy to help identify\n               and address instances of new PII\n               collections that occur outside of\n               the traditional systems develop-\n               ment life cycle that might require\n               a PIA.\n\n\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                   corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the\n                   intent of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount.\n                   Monetary benefits are considered resolved as long as management provides an amount.\nb\n  Recommendations will be closed when (a) the Office of Enterprise Risk Management notifies the OIG that\ncorrective actions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n                                                     II-4\n\x0c'